By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

of system activity, number of users, exposure to users outside the LAN, the sensitivity of the data, etc.

What The definition of auditing for our purposes is the review and analysis of management, operational and technical controls, and the process an operating system uses to detect and record security-related events. The records of such events are stored in a security log and are available only to those with the proper permissions. A computer system may have several audit trails, each devoted to a particular type of activity. The audit trail should allow the audit reviewers to reconstruct a complete sequence of security-related events.

Why Audit logs provide an independent review and examination of records and activities to assess the adequacy of system controls, ensure compliance with established policies and operational procedures, and recommend necessary changes in controls, policies or procedures. Audit logs also provide a good way to determine if and how attacks take place and act as a key security and system administration tool for performance, which affects the "availability of service" security tenet. However, audit logs don't perform real-time intrusion detection and notification.

No matter what events you audit, the record should at least contain: records of each action, together with trace or identification parameters; connection start and end times; and association of network activities with corresponding user audit trails. The audit trail should be backed up daily and stored separately. It's helpful to retain an online audit trail for at least 24 hours, and it's a good practice to keep all offline audit trail data on magnetic media for at least one year (or longer as specified by your policy). Keeping audit data for a specified period of time ensures that any events discovered during one time period can be traced to their origins in another time period, and investigations into security incidents can provide the best information possible to reconstruct the entire series of events.

Warning signs that indicate you need to review your audit trails are: multiple unsuccessful login or file access attempts; concurrent user connections; out-of-the-ordinary changes in system or user activity; unexplained changes in system load; signs of a physical security breach; unexplained software in the system library; odd reports from users; and unexplained batch jobs or queues.

Develop and implement your audit policy and procedures in accordance with regulations applicable to your organization, or industry best practices. In your policy you'll need to determine what events will be audited, and at what level, how often to review the audit trail, and how to maintain, retain and safeguard audit trail data. These procedures should be reviewed at least annually or updated as needed to reflect new requirements.

Other points to remember: --Targeted auditing: There could be legal issues associated with taking a closer look at an individual's activity, check with your legal counsel. --Audit your firewalls, routers, database applications, and any other equipment and applications that record activity. --Protect your audit trails. --Use audit reduction tools to reduce the volume of records you have to look at.

About the author Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy